1. Field of the Invention
The present invention relates generally to digital networks and, more specifically, to digital networks that employ authentication protocols, such as those that provide high-speed Internet, telephone and television services to customers' homes.
2. Description of the Related Art
Digital service providers are using their networks to deliver an ever-broadening array of services to their subscribers' or customers' homes or other premises. Whereas once a digital subscriber line (DSL) was used solely to provide subscribers with Internet Web and e-mail access, today's service providers wish to bundle Internet service with voice (telephony) and video (television) services. (Such bundled Internet, voice and video service is sometimes colloquially referred to as “triple play” service.) Optical fiber-based technologies, such as the passive optical network (PON), offer perhaps even more promising alternatives to DSL. Fully optical networks, which some have referred to as “fiber-to-the-premises” (FTTP), are increasingly being developed and deployed.
As the complexity and value of digital services have increased, so has the need for security and convenience. The longstanding username-and-password login procedure for providing network security is increasingly considered unacceptable. More automated authentication alternatives have been proposed, and the IEEE 802.1x standard for port-based network access control has emerged as the most popular. The IEEE 802.1x standard ties the Extensible Authentication Protocol (EAP) to the local area network (LAN) environment and thus is sometimes referred to as EAP-over-LAN (EAPOL). “Authentication” refers generally to the process by which a network verifies that a client device attempting to access the network is authorized to access the network and blocks access if the authentication process indicates that the client device lacks authorization.
More specifically, the 802.1x or EAPOL authentication process begins with a client device (referred to in this context as a “supplicant”) attempting to connect with a node of the network to which the client device desires access (referred to in this context as an “access node” or “authenticator”). The access node responds by enabling a port for passing only EAP packets received from the client device to an authentication server located on the network side of the access node. The access node blocks or filters out all non-EAP data packets that the client device may transmit, until the access point can verify the client device's identity using local authentication or a backend authentication server (e.g., a RADIUS server). Once authenticated, the access node opens the client device's port for other types of packets.
In a network of the type described above, through which a service provider delivers services to subscribers or customers, the client device that participates in the 802.1x authentication process is commonly referred to as customer premises equipment (CPE). An increasingly popular type of CPE, especially in networks that offer triple play service, is known as a residential gateway. A residential gateway sets up a sub-network or subscriber network to which a user can connect a variety of devices, such as computers, (television) set-top boxes, voice-over-Internet Protocol (VoIP) telephones, IP fax machines, etc.
A client device, such as a residential gateway or other CPE, must have an Internet Protocol (IP) address to operate on the network. In IP-based networks that provide Internet access to subscribers through, for example, a DSL, the most common method of providing a client device with an IP address uses the dynamic host configuration protocol (DHCP). DHCP enables a network device to extract its configuration from a server (the “DHCP server”), even though the DHCP server may have no exact information about the device until it requests the information. The IP address remains valid for some predetermined “lease period,” after which it expires, and the client device is required to obtain a new IP address from the DHCP server. The client device commonly obtains an IP address in this manner when the user first powers it up, when the client device re-boots, or when the lease period expires.
A media access control (MAC) address is a number that uniquely identifies a computer or other device that has a network (typically, Ethernet) interface. It is sometimes referred to as a hardware address or physical address. Unlike the IP address, it includes no indication of where the device is located. Each (IEEE 802-compliant) network device worldwide has a unique 48-bit MAC address, where the first 24 bits indicate the manufacturer and the last 24 bits are analogous to a product serial number, i.e., a unique number assigned by the manufacturer for each manufactured card/controller chip unit. A network node in the path between the CPE and the service provider's network (e.g., an access node) commonly maintains an IP address table that relates or maps each client device's MAC address to its IP address. The network node learns the entries in this table by snooping the IP address assignment protocol. The network node maintains the table for reasons that include preventing spoofing, i.e., intruding in a network by transmitting packets bearing an IP address obtained in an unauthorized manner. For this reason, such a table is sometimes referred to as an anti-spoofing table. Such a table is also used for the proxy-Address Resolution Protocol (ARP).
For network security reasons, a network node may block communications from a client device, such as a residential gateway or other CPE, if the network node determines that a device IP or MAC address has changed from that which had been previously identified (and stored in the table), as it suggests that an intruder is attempting to spoof an authenticated device. Occasionally, however, malfunctions or other events in the network (e.g., a network node or card thereof was reset) result in a client device that has previously been authenticated losing its ability to communicate because the malfunction or other event caused the information stored in the tables to be lost, corrupted or otherwise unusable. It is therefore possible for a network node to block communications from a client device, such as a residential gateway, that was previously authenticated and authorized. Although the client device may participate in another 802.1x authentication if challenged by the network server, it will continue to use the same IP address it had been using before the problem occurred until such time as the lease period expires or the user manually re-boots the client device (e.g., turns the power off and then on again or presses a “restart” button) or otherwise triggers DHCP renewal. One solution that has been suggested is to revise or extend the DHCP standard to provide for an additional DHCP message that would be known as “DHCP RENEW.” In accordance with this proposal, a DHCP server could transmit a DHCP renew message to a client device to force the client device to renew its IP address. Nevertheless, security concerns and other issues have slowed the adoption of this suggestion.
There is presently no secure, straightforward solution in the art for ensuring continuation of proper operation following certain events in networks in which IEEE 802.1x authentication is used for security and DHCP is used to configure client devices. The present invention addresses these problems and deficiencies and others in the manner described below.